SSH login takes very long time...sometimes
Atanas
atanas at asd.aplus.net
Fri Feb 17 13:34:09 PST 2006
Mike Tancsa said the following on 02/17/06 11:50:
> At 09:17 PM 16/02/2006, Atanas wrote:
>
>> Does anybody know whether ipfw (or something else within FreeBSD-4) is
>> capable of setting connection rate limits?
>
> Why not just launch sshd out of inetd ?
>
Primarily because of the big scare sign in the sshd man page:
-i Specifies that sshd is being run from inetd(8). sshd is normally
not run from inetd because it needs to generate the server key
before it can respond to the client, and this may take tens of
^^^^^^^
seconds. Clients would have to wait too long if the key was
^^^^^^^
regenerated every time. However, with small key sizes (e.g.,
512) using sshd from inetd may be feasible.
It was my fault not verifying how much time it really takes. I just
tested it on a couple of machines, and it seems to be way faster:
# time ssh blah at 6-STABLE-2048-bit-inetd
real 0m0.669s
user 0m0.012s
sys 0m0.000s
# time ssh blah at 5-STABLE-1024-bit-inetd
real 0m0.374s
user 0m0.000s
sys 0m0.008s
# time ssh blah at 5-STABLE-1024-bit-daemon
real 0m0.348s
user 0m0.000s
sys 0m0.008s
I ran this multiple times. The first one defaults to 2048-bit key (a
6-STABLE based box), the second one - to 1048 bit (5.4), the third one
to a standalone ssh daemon.
So what the man page says about the timings could have been true some 10
years ago, but not now.
> Start up inetd with -wWl -C 5
>
> In inetd.conf
> ssh stream tcp nowait root /usr/sbin/sshd /usr/sbin/sshd -i
>
> This will allow 5 connections per min from a single IP.
>
Yeah, I still use it to run (pro)ftpd, and never had problems with that.
It's possible to specify also per entry limits, like:
ftp stream tcp nowait/100/60/10 root /usr/libexec/ftpd ftpd -l
ssh stream tcp nowait/50/10/5 root /usr/sbin/sshd sshd -i
50/10/5 = max-children/max-conn-per-ip-per-minute/max-child-per-ip
Regards,
Atanas
More information about the freebsd-stable
mailing list